HSTS redirection warning false positive when redirecting to parent host with includeSubDomains

[ivanr]

We currently have a rule that checks if the redirections are properly implemented and activate HSTS. The rule is that a request to plaintext www.example.com must be redirected to encrypted www.example.com before it goes anywhere else. However, this rule creates false positives in the case when there is a redirection to the parent host with includeSubDomains enabled.

[ivanr]

Fixed as of a couple weeks ago.

[adrelanos]

Regression? Bug happening again?

https://www.hardenize.com/report/whonix.org/1670890391#www_hsts

Hardenize notices: includeSubDomains=true

Policy preloaded
Excellent. This host is covered by a preloaded HSTS policy.
Preloaded host: whonix.org; includeSubDomains=true

Therefore it seems the following error is a false-positive:

Redirection from HTTP to HTTPS not to the same host
When HSTS is used, the plaintext port should redirect to the HTTPS variant of the same hostname. This approach ensures that HSTS is enabled on that hostname, even if later the client is sent elsewhere. A redirection to another host is only safe if it is for a parent host that has HSTS with includeSubDomains enabled, but that's not the case here.
Starting point: http://whonix.org

Current redirection: https://www.whonix.org/

Expected redirection: https://whonix.org

Could you re-open please?